Merge pull request #1 from HakordiaNetwork/alert-autofix-17

Potential fix for code scanning alert no. 17: Code injection

Author: lamcodeofpwnosec

fixtures/dom/src/react-loader.js

@@ -39,27 +39,39 @@ function loadScript(src) {
 function loadModules(SymbolSrcPairs) {
   let firstScript = document.getElementsByTagName('script')[0];
 
-  let imports = '';
-  SymbolSrcPairs.map(([symbol, src]) => {
-    imports += `import ${symbol} from "${src}";\n`;
-    imports += `window.${symbol} = ${symbol};\n`;
-  });
-
   return new Promise((resolve, reject) => {
     const timeout = setTimeout(
       () => reject(new Error('Timed out loading react modules over esm')),
       5000
     );
-    window.__loaded = () => {
-      clearTimeout(timeout);
-      resolve();
-    };
-
-    const moduleScript = document.createElement('script');
-    moduleScript.type = 'module';
-    moduleScript.textContent = imports + 'window.__loaded();';
 
-    firstScript.parentNode.insertBefore(moduleScript, firstScript);
+    let loadedCount = 0;
+    const totalModules = SymbolSrcPairs.length;
+
+    SymbolSrcPairs.forEach(([symbol, src]) => {
+      if (typeof symbol !== 'string' || typeof src !== 'string' || !/^https?:\/\//.test(src)) {
+        reject(new Error(`Invalid module specification: ${symbol}, ${src}`));
+        return;
+      }
+
+      const scriptNode = document.createElement('script');
+      scriptNode.type = 'module';
+      scriptNode.src = src;
+      scriptNode.onload = () => {
+        window[symbol] = window[symbol] || {}; // Ensure the symbol is available globally
+        loadedCount++;
+        if (loadedCount === totalModules) {
+          clearTimeout(timeout);
+          resolve();
+        }
+      };
+      scriptNode.onerror = () => {
+        clearTimeout(timeout);
+        reject(new Error(`Failed to load module: ${src}`));
+      };
+
+      firstScript.parentNode.insertBefore(scriptNode, firstScript);
+    });
   });
 }